Skip to content

Instantly share code, notes, and snippets.

@voltagex

voltagex/sslh.cfg

Created Mar 20, 2019
Embed
What would you like to do?
Transparent sslh to ssh (get IPs for fail2ban or Match rules) - without iptables
#from http://rutschle.net/pipermail/sslh/2018-April/000674.html
verbose: 1;
foreground: true;
inetd: false;
transparent: true;
user: "sslh";
pidfile: "/var/run/sslh.pid";
syslog_facility: "auth";
listen: ({ host: "10.1.1.222"; port: "443"; });
protocols: ({
name: "ssh"; service: "ssh"; host: "127.0.0.2"; port: "22";
log_level: 5;
});
[Unit]
Description=SSL/SSH multiplexer
After=network.target
Documentation=man:sslh(8)
[Service]
Environment=SYSTEMD_LOG_LEVEL=debug
ExecStart=/usr/sbin/sslh -F /etc/sslh/sslh.cfg
KillMode=process
PermissionsStartOnly=true
# Add the ip rules and route to enable Transparent Proxy
ExecStartPre=/sbin/ip rule add fwmark 0x1 lookup 100
ExecStartPre=/sbin/ip route add local 0.0.0.0/0 dev lo table 100
ExecStartPre=/sbin/ip rule add from 127.0.0.2/32 table 100
ExecStartPre=/sbin/ip route flush cache
# Remove the ip rules and route to enable Transparent Proxy
ExecStopPost=/sbin/ip rule del fwmark 0x1 lookup 100
ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 100
ExecStopPost=/sbin/ip rule del from 127.0.0.2/32 table 100
ExecStopPost=/sbin/ip route flush cache
[Install]
WantedBy=multi-user.target
@voltagex

This comment has been minimized.

Copy link
Owner Author

@voltagex voltagex commented Mar 20, 2019

Notes: this is set up for some extra logging at the moment.

On Debian/Ubuntu, /etc/default/sslh is set up, /etc/sslh/sslh.cfg is not.

Use /usr/sbin/sslh -F /etc/sslh/sslh.cfg because debugging through journalctl is a pain

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment